Date: Sun, 20 Nov 2005 12:37:36 -0500 From: Doug Lee <dgl@dlee.org> To: freebsd-questions@freebsd.org Subject: VLAN security question Message-ID: <20051120173736.GK1042@kirk.dlee.org>
next in thread | raw e-mail | index | archive | help
I set up a FreeBSD box to be firewall/NAT/mailserver/etc. for a company, but that company subsequently went to a VoIP system, installed a Cisco switch, programmed the switch to route Internet traffic through the BSD box as before but also to route telephone traffic NOT through it, then set things up so that the workstations in the building are plugged into the phones (which have little hubs in them). Internet traffic is now on a VLAN, and telephone traffic is on a different VLAN. Running tcpdump on a workstation indicates that VLAN traffic can be seen there (sensible because the phones contain hubs, not switches). Tcpdump also shows that people on the Internet can send packets onto the telephone VLAN (i.e., random packets from the world can reach the phones and the workstations on that VLAN). The packets I'm seeing with tcpdump are still encapsulated. Question: Is this a security problem? For example, can a packet be crafted out there to show up non-encapsulated and on the workstation network, thus circumventing my FreeBSD firewall? Up to now, I've been assuming that this network is as secure as the phones themselves, meaning that if someone can hack a telephone and make it do things on the network, we have a problem, but otherwise we don't. That prospect also bothers me but is probably outside the scope of my question. :-) -- Doug Lee dgl@dlee.org SSB + BART Group doug@bartsite.com http://www.bartsite.com "Determine that the thing can and shall be done, and then...find the way." - Abraham Lincoln
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051120173736.GK1042>